Date: Wed, 3 Oct 2001 20:20:53 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Guido van Rooij <guido@gvr.org> Cc: freebsd-net@FreeBSD.ORG Subject: Re: IPsec rekey question (bug in racoon?) Message-ID: <20011003202053.J8391@blossom.cjclark.org> In-Reply-To: <20011003225701.A71045@gvr.gvr.org>; from guido@gvr.org on Wed, Oct 03, 2001 at 10:57:01PM %2B0200 References: <20011003130015.A68282@gvr.gvr.org> <20011003132235.C8391@blossom.cjclark.org> <20011003225701.A71045@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 03, 2001 at 10:57:01PM +0200, Guido van Rooij wrote: > On Wed, Oct 03, 2001 at 01:22:35PM -0700, Crist J. Clark wrote: > > On Wed, Oct 03, 2001 at 01:00:15PM +0200, Guido van Rooij wrote: > > > I am using Ipsec in tunnel mode. Everything works okay. Then I decide > > > to flush my SAD entries, on _one_ side of the tunnel. > > > Naturally, I see a key exchange going on. > > > Afterwards I see that the system on which I flushed the SAD entries does > > > have new ones. However the other side of the tunnel is still using > > > the old one for its tunnel to me. I would guess that that SAD would be replaced > > > as well? > > > > Why would it? The two simplex channels of a IPsec "connection" really > > have very little to do with each other. > > Why? Because if one system reboots, the key is gone so there is no way > to decrypt the incoming traffic any more? "The key?" What key? Again, each direction is independent from the other. Different keys will be used for each. The remote end doesn't care about the state of the machine that was reset. As far as its SAD is concerned nothing has changed. Therefore, no need to change the SPI. For a general discussion of the concept see RFC2401 Sec. 4 especially 4.1 and 4.4 (4.4.3). -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011003202053.J8391>